No one here or in the referenced links has backed up the claim that DMCA would apply to publishing these kernel patches, using quotes from the DMCA itself. Why do you suppose this is?
And more importantly, why are so many people willing to accept these claims without any proof or even any evidence?
Readers need to think for themselves, and not just accept what people tell them. It's all too easy to swallow unsupported claims which fit into our preconceptions. But in fact those are the ones for which it is most important to check the facts, simply because they are the ones where we are most likely to make mistakes.
See my earlier post for evidence that the DMCA does not apply to publishing kernel source. I quote from the text of the DMCA itself, and link back to the rest of it.
Shouldn't a position that has evidence behind it be more believable than one which is offered without any backing at all? Pay attention to your own thought processes as you consider the new information I am presenting here. Think about whether you are being objective and open to new ideas, even when they contradict your prejudices.
Thinking for yourself is hard work, harder than letting other people think for you. But if you can get yourself to do it, eventually you'll find that it's a hard habit to break.
But if that is really taken as a violation of the DMCA, then almost all public notices of security issues may be illegal, even if the author did not write an exploit, and indeed even if no exploit is known to exist. The entire CERT site is at risk. Bruce Schneier may be one of the rampant criminals on Earth.
You're right, these conclusions follow logically from the claim that this kernel changelog violates the DMCA. It's quite clear in fact that it does not; see my earlier post.
Notice that no one here or in the referenced articles and links actually quotes the DMCA to show which provision would be violated by publishing this information! Doesn't that make you suspicious?
It's sad that so many people here are willing to suspend critical thinking when presented with a claim that fits into their preconceptions.
Next time, actually read the law. The DMCA is VERY broad. Sounds to me like your extent of reading on it was the name, and not the contents of the act itself.
The DMCA makes it illegal to publish any sort of information that provides data relating to any sort of bug that could be potentially exploited.
In that case, can you point to where in the DMCA it says this? You might want to take a look at my earlier post, where I quoted the relevant part of the DMCA and showed how it would not apply to a Linux kernel patch. Please enlighten us.
An OS where the user can modify it at will is not a "known quantity" or signed, and even if it was, as soon as you recompile it you would break the signature. Basically, an OS where you are allowed to modify it, can not be trusted. (Allowing modifications being a large part of the "Freedom" involved in Free Software. You can't have it both ways).
There is some truth to this, but note that both HP and IBM have been reported to be working on "trusted Linux" concepts that include TCPA (a similar technology to Palladium). You're right that once a kernel is reviewed and content providers decide to trust it for this purpose, then changing the kernel would change the hash, and it would no longer be trusted. But it would still be open source and many people would prefer it to a closed source system like Windows.
Keep in mind that any more, most Linux users don't patch their operating systems, they don't build their own kernels. They buy or download one and use that. The "trusted Linux" kernels can be released and revved just like existing ones, and each new one can be checked that it doesn't break the trusted computing rules. So there will be periodic releases of new versions that are acceptable for use by content providers.
TCPA-compatible Linux systems can coexist with Palladium-compliant Windows computers, and both can be used for viewing restricted content. You may not choose to call these Linux systems open source, but for the majority of Linux users, things won't be any different than they are today, except that they can download and view protected digital content.
Palladium programs and any Palladium data can only be used on a trusted nub ("nub" basicly means kernal). Any changes to the nub are going to have to be submitted for approval as a new trusted nub. How long will this approval process take?
That is a good question. Microsoft has said they are going to publish the source code of the nub, in order to promote independent review. One might suppose that they will do this sometime before the release of the technology. So a couple of related questions you might ask:
Is this true, will they release the nub source before Palladium is fielded?
If the nub changes, does that affect systems that are fielded; in particular does the remote attestation feature (where one system reports a hash of its software to the other) include a hash of the nub? So would fielded systems break if the nub hash changed?
try explaining that to my Mom when she can no longer read her email because the computer crashed
It wouldn't be for all her data, just the sensitive stuff which got locked up, like movies and music under DRM control, or maybe bank account passwords and such.
The process you describe would require that every PC owner (we're talking hundreds of millions and soon billions) diligently backs up their key and keeps it safe
It would just go to a disk file. We were assuming the computer crashed and the disk was OK. If the disk is dead, your data is lost anyway. But if the disk is OK you can get the backed-up key data from a disk file.
Wouldn't this imply that if the hardware vender died and sold off all of its IP (to help pay off those debts) that if your hardware died, your data would in-effect be gone forever, or you would have to illegally violate DMCA to get to it?
I suppose, but Intel is probably not going out of business any time soon. I think you have worse things to worry about than that.
So, when I do this very thing (exporting blob, sending, they reencrypt, reentering the code in a new chip, etc) when my chip has _not_ fried, means I have now two PCs that can both access the same data? So perfect protection is not guaranteed anymore. Right?
Yes, you might be able to pull a con and claim one computer was dead, cloning its key into another computer this way, so you'd have two computers that could both view the data. But it's just those two computers, you still can't put the data out on KaZaA or anything. This is a tiny security leak which the content companies don't care about.
This all assumes that the chipmaker stays in business forever, that your blob cannot become corrupted, and that the next generation chip will use the same blob format. Even if your idea works perfectly in a perfect world, how do you protect against these other drawbacks, especially if you have no CHOICE in how you store your data??
Well, these don't seem to be particularly hard assumptions. Intel probably won't go out of business, most files don't become corrupted, and they will obviously need to have some form of backwards compatibility when they come out with version 2. Keep in mind too that this is just for the "vaulted" data like DRM controlled content, it's not your whole disk. You're going to have these problems with any kind of DRM controls.
Ultimately you either need to persuade someone to give you their creative output in the clear, or else accept that they're only going to give it to you in some encrypted form with restrictions. You both have free choice; they can give it out as they choose, and you can use it or not. No one is being forced to do anything here.
For reference, here is the relevant portion of the DMCA:
`(2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that--
`(A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;
`(B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or
`(C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.
I can understand that people may be worried about publishing kernel patches, but careful reading of the above makes it very clear that these do not violate the DMCA, even if they inadvertantly or implicitly reveal information that could be used to defeat copyright protection. The reason is simply that this is not the primary design and purpose of the information. Rather, the information is designed to extend and improve the functionality of the Linux kernel.
Contrast this with the Sklyarov case, where the primary purpose of the information and technology he presented was to defeat copyright protection.
The situations are completely different.
I can't blame Europeans for being excessively cautious with regard to American law, but they could consult with a lawyer and be reassured. My opinion is that this is really a political statement, and that they are being disingenuous in claiming to be afraid of prosecution.
I'd like to hear more about Microsoft's claim that Palladium can't be used for copy protection of software. What about the idea of sealing (encrypting) part of the program using Palladium, loading it into secure memory, decrypting it and then running it? That would seem to allow for program code to be locked to a given computer, which is the essence of copy protection.
Yet Microsoft claims that Palladium won't facilitate copy protection. Is there some specific technical reason why this scenario won't work? Or does Microsoft just mean that they don't plan to use this method at present?
If it works like TCPA, each trusted module ("Fritz chip") generates its own public/private key pair. The private key stays on the chip and never comes off. No one ever learns the private key; not Microsoft, not the chip maker, not the user who purchases the computer.
The public key gets exported, and then gets certified by some kind of CA analogous to Verisign.
How does a new media producer get their media "signed"?
Palladium doesn't do anything like this, as far as I know. What it allows is that a company could run a server that is able to check the hash of a given piece of client software that is connecting to it from a remote system. This way the server can refuse to download content unless a piece of software it trusts is running remotely.
So if you have some content to distribute, you could write a client and build the legitimate hash of that client into your server. The server would only download if the remote hash of the client software matched what was built into it.
What happens if a key is compromised?
If it were the CA key, it would be as disastrous as if the Verisign CA key were compromised; all the security of the system would be lost.
If a trusted module secret key were pulled off the chip somehow, you could build an emulator that pretended to be that chip. Your emulated PC could then download data and bypass the DRM rules or whatever other rules were supposed to be supported.
That would be another good question to ask: how big is the curtained memory (or whatever they're calling it now)? It's not supposed to hold your whole program, just the "trusted agent" portion of it, so maybe it doesn't have to be that big.
You could ask for more details on how this works: does it hold more than one program at a time? Do programs swap in and out of it? What if one trusted agent went bad, could it hurt another one?
This still leaves mostly the same question, if my machine is offline. Of course, that really could be a question in and of itself.. how does the system function with a non-networked computer?
If your system is offline or un-networked, you can still use the Palladium "virtual vault" and "curtained memory". This would allow your software to create a crypto key and store some data encrypted with it, such that no other software would be able to read that data. Not even the owner of the computer could get to that data except under the rules that your software enforced. He couldn't virtualize it, he couldn't emulate it, he couldn't use a debugger or patch the software.
The reason he can't virtualize your software or run it on an emulation layer is that the data is encrypted with a key that is locked in the crypto chip. The emulator doesn't have that key and so it can't decrypt the data. The reason he can't use a debugger is because (part of) your software runs in the special memory region which is off limits to debuggers. And the reason he can't patch your software (on the disk, say) is because that changes the software hash, which the crypto chip checks when it goes to decrypt the data, to see if it matches what it was then the data was encrypted. Changing the software changes the hash; changing the hash keeps you from getting at the data.
He could still get at the data if he used some hardware hacks, like dual-ported ram or exotic techniques to extract data from the secure crypto chip. These are probably outside of the expertise of the average hacker, though.
So what does "trusted" mean here? It means that your software can manage data and behave in a predictable manner, enforcing specified rules for manipulating the data.
What kind of data recovery plans will exist if I buy $1000 dollars worth of digital music that is tied to my processor, only to have my processor get fried in a power surge? Will there be any way to recover my investment, or is it lost? If so, what's to prevent hackers from using that recovery mechanism? If not, how can this be a benefit to customers?
Microsoft hasn't said how this would work, and it is certainly a good question. But I don't agree with your implication that it is somehow an unsolvable problem or indicates that Palladium must be weak.
The related TCPA scheme did have a proposal for how to deal with this. The idea is that your crypto chip has a key in it that encrypts all this data. You can get it to export this key in a "blob" that can only be decrypted by the manufacturer. (Actually the key is exported in two parts, one in the clear and one in the blob, that have to be XOR'd together to recover the real key.)
If your crypto chip dies, you buy a new computer or motherboard with a new chip. You send the backed-up blob and the new chip identifier to the manufacturer, who decrypts the blob data and re-encrypts it for the new chip, and sends it back to you. You then enter this into the new chip, along with the other half of the key, and presto, your new chip is initialized with the same key that was in the old one. So your new computer can read the data that was locked to the old computer.
This is all done in such a way that neither you nor the manufacturer ever sees the crypto key, so the data is still protected.
Now, this is pretty cumbersome, and maybe Microsoft will come out with something better. If this is really going to be a detailed technical presentation, this would be an excellent question to ask. Just don't assume they can't answer it!
More of a basic business question, but didn't anyone learn from Intel's ill-fated processor serial number "feature" in the Pentium III, or the Div-X movie fiasco? Why would consumers want this at all, and why will they choose it over other alternatives?
The answer is obvious. Once Palladium is in widespread use, (legitimate) content will only be made available to systems that use Palladium to enforce DRM. So a consumer will want to buy a Palladium box because that is the only way that he can download the latest PPV movies, super-CD-quality audio, and other 21st century content that we haven't even thought of yet.
Microsoft benefits by providing a technology which will make the content companies feel comfortable in releasing their data in digital form. This will make PCs more valuable and sell more of them, which means more copies sold of Windows and more money in Microsoft's pocket.
Will it be possible for new peripheral devices, like disk players for Super Audio CD or DVD-Audio, to use Palladium to make sure that only "authorized" (by the drive manufacturer) software can read the data from the disk drive? I.e. will the drive firmware be able to use Palladium to get an attestation on the secure hash of the running software that is trying to access the drive?
This would end unauthorized ripping of data from these new formats, which would be tremendously valuable to the content companies. It is plausible that these companies would only allow their drives to go into computers if Palladium could provide this assurance. Therefore by providing this capability, Microsoft would make PCs more attractive and useful to consumers, sell more copies of Windows, and make more money.
Microsoft has both the incentive and the technological capability to do it. But they haven't said if they will, and none of their public discussion has touched this issue. Please ask them.
what do you do when someone exploits a buffer overrun or a backdoor--or a macro in Word 95--to run arbitrary code, and disable all Palladium features
Palladium has a concept called "curtained memory". It is immune to being touched by ordinary code, you have to be in a new CPU mode which is being defined as part of the Palladium spec (some observers call it "ring -1"). Most buffer overruns and similar bugs will not escalate your privileges high enough to touch the Palladium secure area, even if you can get into (normal) kernel mode.
My understanding is that you'd have to find a bug in the OS kernel software component that runs in the curtained area, which Microsoft calls the "nub" or "Trusted Operating Root". They intend to publish this relatively small software component for review in the hopes that it can be made bug free. If so then bugs in other parts of the software will not defeat Palladium security.
I can answer these already from publicly available information.
1. Will it be possible, as a home user, to create and digitally sign a creative piece of work? Such as, a home movie?
2. What ramifications will this have on digital content created before the introduction of Palladium? Will it still play?
You seem to be under the impression that there is such a thing as "Palladium content" and that it is digitally signed. This is not true. Palladium is a technology that allows software to (A) run unmolested, (B) report its hash securely to a remote system, and (C) create encrypted data files which are locked to a hash of the software.
This means that what is special about a Palladium enabled viewer is not that it only views Palladium content, because there is no such thing. Rather, this viewer can prove its identity (its software hash) to a remote system. That way, if the viewer does enable DRM or some other policies for handling data, the remote system can check for that before downloading data.
So there is no need to digitally sign your content in order for it to play, unless someone creates a viewer that only plays such content, which they could do today independent of Palladium. And your question about old content is likewise misguided, as Palladium is fully compatible with viewers that play old content.
3. Will the information necessary to create a Palladium enabled viewer be available to public? Or will we only be able to use Windows Media Player to play Palladium enabled content? What are the projected licesing costs for a company that wishes to create a viewer that is able to view Palladium enabled content?
This is a better question. Microsoft has implied that they will publish the API to use the Palladium services just like they document all of their other OS services, but it would be good to hear them say that they will be freely available so that everyone could write their own viewers (and other software).
4. Will hardware that requires a signature be able to run content that does not have one? (if yes) Will this then mean that any software that pre-dates the hardware must be upgraded? (if no) Then how will this system differentiate between a desired, older, program, and a virus?
Again, you are thinking in terms of signed content, which is not a Palladium concept.
The only way I can see it possible to effectively implement DRM is to require computers to not play any digital content that does not have a valid encrypted signature, as provided by the various media companies, and/or Microsoft and Intel.
Microsoft has said many times that Palladium does not do this. Of course, anyone could write software which would only play content that had a signature, and that software could otherwise use some Palladium features. But this is not Palladium functionality per se.
What Palladium does is kind of the reverse: it lets the remote server check that you are running "kosher" software. A remote server could refuse to stream content to anything other than Windows Media Player, for example. Palladium would allow WMP to cryptographically prove to the remote server that it was running, and nobody could write a "fake" WMP that could fool the remote system.
Then WMP can impose whatever DRM policies it wants, and the remote server can be confident that the data it sent to you will be managed under those DRM policies.
And of course you can always decide not to download the data, if you don't care to accept the terms under which it is offered.
In this system it seems likely that it is in Microsoft's interest to keep WMP "open" and allow it to play content from as many people as possible. That makes the software more widely useful and ultimately will sell more copies of Windows.
However, it's also possible that Sony or some other content company could create their own media player software, and it might only play Sony content. Again, this would not be a Palladium feature. The only place Palladium would come in is that the Sony servers could make sure that they only downloaded their content to Sony media players.
Oh, also Palladium would allow Sony or the WMP to store their files encrypted on your disk in a really secure way, so that short of hardware hacking you probably won't be able to break the encryption.
How can user written software run on a 'trusted' system?
It's obvious, if you're familiar with the Palladium information that has been released. All software, whoever writes it, will be able to make use of Palladium features via a new API.
What are the Palladium features? Your software will be able to create a "virtual vault" that other software can't see into (an encrypted disk file locked to a hash of your software). You can have a "trusted agent" that runs in a secure memory area which is immune to being inspected or changed using debuggers, virtualizers, etc. You can get the OS to securely report a hash of your software to third parties, cryptographically signed by a key which is locked in the Palladium hardware.
The sense in which these features entitle your software to be called "trusted" is beyond the scope of this reply.
I strongly suggest that the OP read the Palladium docs that are available to familiarize himself with the system before he goes to this lecture.
I prefer the moral and philosophical argument that intellectual property rights are a bad idea (maybe with good intentions) that has failed and cannot be salvaged...
What argument? Where's the argument?
An argument starts with premises, uses logic and reaches a conclusion. All I see here is the conclusion.
The whole essay is like this, a bunch of flat statements of opinion without justification or support. He keeps saying that intellectual property is a bad idea, but he never says what's wrong with it!
Anyone who sees this article as well-written is looking at it from a highly partisan perspective.
What really bothers me on these issues is this: where are those who are searching for truth? Those without an axe to grind, those who are looking for accurate facts and valid arguments? It seems with 90% of the people involved, the positions they take are exactly aligned with their economic interests. They are saying exactly the same things that they would say if they were total liars and only interested in fattening their own wallets, whether as consumers or producers.
Who can claim differently? Who here is objectively interested in the truth on these complex issues, irrespective of whether it helps or hurts him economically?
...it still should be clear that... property is a misnomer. Intellectual property is owned by the public and in essence leased to authors and inventors.
First he says that "property" is the wrong word to use, then he turns around and uses it, talking about it being "owned" and "leased", which are exactly what happens with property!
What people are forgetting here is that Congress represents the people of the United States. Representatives and Senators serve at the pleasure of their constituents. If they consistently pass laws which the people of the United States hate, they will lose their jobs.
This is why the Supreme Court is hesitant to overturn such laws, because there is another check on unjust laws, namely the ballot box. It is only when Congress is overstepping its bounds in a matter where the people support them that the Court is really needed to step in. When the majority takes on too much power and infringes on the rights of the minority, the Supreme Court can act to limit these excesses.
But this does not seem to be what is happening in the case of copyright extensions. It's not like there's a powerless minority whose rights are being infringed by policies supported by the majority of the American people. Rather, these copyright extensions are technical matters that most people simply don't care about. They aren't important enough to make or break a Congressman's career.
What needs to happen is that this has to be solved in the political arena. People who think that copyright policy should be changed need to convince others of that fact, to get them interested in the dispute, to attract supporters and political power. Then they can convince Congress to change its policies.
This issue is a simply and fundamentally a matter of politics. The dispute needs to be resolved in the political arena. It may seem easier to convince 9 members of the Supreme Court than the American people. But ultimately it will be more just and more fair to effect change by convincing people, the American people, that these changes are worthwhile.
We have a representative government, but that doesn't mean that everything they do is what you personally would want. What it does mean is that you can try to convince people that your ideas are good, and if you get enough support, the government will go along. That is the proper course for political change in a representative democracy.
Aside from being limited to "encryption research" (only one component of security research, which did not cover the SDMI researchers,)
On the contrary, the threat against Felten et al under the DMCA was just that, a threat, a bluff, and was withdrawn when the bluff was called. The SDMI results have been fully reported and published and DMCA did not stop them.
the exemption contains a ridiculous requirement that scientists first ask permission from companies before collecting data or performing experiments
It says they have to ask for permission; it doesn't say they have to get it! They can go ahead and do their work even without the permission of the copyright holder. What this amounts to, therefore, is a requirement to give notice to the copyright holder that his system is going to be attacked. This is, by the way, consistent with current trends towards responsible reporting of security vulnerabilities.
Another major problem with the exemption: it only permits one step in the scientific process, the actual collection of data, the act of circumventing a DRM system. The next step, publishing or sharing that data with the scientific community, doesn't seem to be exempted, and has been the target of legal disputes in the past.
The wording of the DMCA is somewhat ambiguous on this point, granted. It seems clear from the context that in exempting research, Congress certainly intended to exempt legitimate academic publication of the results, which is part and parcel of the research process. No one has ever been prosecuted on the theory that you can do research, yes, but you can't publish it. This argument has mostly been raised by DMCA opponents.
I've had TiVo for almost three years, and it's crazy to compare it to a VCR. They are nothing alike, the quantitative difference between what they can do is so great that it becomes qualitative.
With TiVo, TV is no longer a time-oriented medium. You don't watch shows when they're on, you watch them when you want to. The only way time matters is that a new show is only available on or after a certain time. It's more like a webcast, or a magazine-type site like The Onion. You're not required to sit there in front of your computer at 6 AM Monday every week to watch the new update of The Onion. You can watch it any time you want, it's just that you know a new one is available on a regular basis. All of TV is that way once you have TiVo.
Of course TiVo isn't the only way to get this. You can use Replay, or Microsoft's new box, or with a lot more effort you can set up a computer to do it. Any of these will give you those improvements.
But whatever you do, don't make the mistake of thinking it's a VCR. It's not, it's a device that turns TV into something that's more like a subset of the web, in that you have instant access to many, many hours of content, whatever has been updated since you viewed it last.
I was involved of getting our software package FIPS 140 certified, which is the major crypto security certification. I think there's some validity to the point that the certification house (which is sort of a gatekeeper to the actual certification) has something of a conflict of interest. We are paying them for the certification, while they are the ones who check the adequacy of our security measures. FIPS is supposed to check on their work, but that was largely a rubber stamp.
Nevertheless the certification house did do a thorough check on us and did recommend a number of changes to our software. We didn't think any of them truly added security, but at least this way it was obvious that the cert company was doing their job.
The big problem is that we got that version of the software certified, taking about eight months and several employees' time. Now a few months later we come out with a new release! We can't get re-certified every time, even though they have a shortcut for recertifications. Keeping up with the short software release cycle would be way too expensive.
So we still have FIPS 140 certification listed as a feature of our product, but if a customer really wants that specific version, we have to sell him old software. As it turns out, no one does. All they really need is to be able to check the box that says we are certified, and then they're perfectly happy to take the latest software. The mere fact that we spent the time, effort and money to be certified is what really counts.
Slashdot Mirror
No one here or in the referenced links has backed up the claim that DMCA would apply to publishing these kernel patches, using quotes from the DMCA itself. Why do you suppose this is?
And more importantly, why are so many people willing to accept these claims without any proof or even any evidence?
Readers need to think for themselves, and not just accept what people tell them. It's all too easy to swallow unsupported claims which fit into our preconceptions. But in fact those are the ones for which it is most important to check the facts, simply because they are the ones where we are most likely to make mistakes.
See my earlier post for evidence that the DMCA does not apply to publishing kernel source. I quote from the text of the DMCA itself, and link back to the rest of it.
Shouldn't a position that has evidence behind it be more believable than one which is offered without any backing at all? Pay attention to your own thought processes as you consider the new information I am presenting here. Think about whether you are being objective and open to new ideas, even when they contradict your prejudices.
Thinking for yourself is hard work, harder than letting other people think for you. But if you can get yourself to do it, eventually you'll find that it's a hard habit to break.
But if that is really taken as a violation of the DMCA, then almost all public notices of security issues may be illegal, even if the author did not write an exploit, and indeed even if no exploit is known to exist. The entire CERT site is at risk. Bruce Schneier may be one of the rampant criminals on Earth.
You're right, these conclusions follow logically from the claim that this kernel changelog violates the DMCA. It's quite clear in fact that it does not; see my earlier post.
Notice that no one here or in the referenced articles and links actually quotes the DMCA to show which provision would be violated by publishing this information! Doesn't that make you suspicious?
It's sad that so many people here are willing to suspend critical thinking when presented with a claim that fits into their preconceptions.
The DMCA makes it illegal to publish any sort of information that provides data relating to any sort of bug that could be potentially exploited.
In that case, can you point to where in the DMCA it says this? You might want to take a look at my earlier post, where I quoted the relevant part of the DMCA and showed how it would not apply to a Linux kernel patch. Please enlighten us.
An OS where the user can modify it at will is not a "known quantity" or signed, and even if it was, as soon as you recompile it you would break the signature. Basically, an OS where you are allowed to modify it, can not be trusted. (Allowing modifications being a large part of the "Freedom" involved in Free Software. You can't have it both ways).
There is some truth to this, but note that both HP and IBM have been reported to be working on "trusted Linux" concepts that include TCPA (a similar technology to Palladium). You're right that once a kernel is reviewed and content providers decide to trust it for this purpose, then changing the kernel would change the hash, and it would no longer be trusted. But it would still be open source and many people would prefer it to a closed source system like Windows.
Keep in mind that any more, most Linux users don't patch their operating systems, they don't build their own kernels. They buy or download one and use that. The "trusted Linux" kernels can be released and revved just like existing ones, and each new one can be checked that it doesn't break the trusted computing rules. So there will be periodic releases of new versions that are acceptable for use by content providers.
TCPA-compatible Linux systems can coexist with Palladium-compliant Windows computers, and both can be used for viewing restricted content. You may not choose to call these Linux systems open source, but for the majority of Linux users, things won't be any different than they are today, except that they can download and view protected digital content.
Palladium programs and any Palladium data can only be used on a trusted nub ("nub" basicly means kernal). Any changes to the nub are going to have to be submitted for approval as a new trusted nub. How long will this approval process take?
That is a good question. Microsoft has said they are going to publish the source code of the nub, in order to promote independent review. One might suppose that they will do this sometime before the release of the technology. So a couple of related questions you might ask:
Is this true, will they release the nub source before Palladium is fielded?
If the nub changes, does that affect systems that are fielded; in particular does the remote attestation feature (where one system reports a hash of its software to the other) include a hash of the nub? So would fielded systems break if the nub hash changed?
I'll reply to several comments in one message.
try explaining that to my Mom when she can no longer read her email because the computer crashed
It wouldn't be for all her data, just the sensitive stuff which got locked up, like movies and music under DRM control, or maybe bank account passwords and such.
The process you describe would require that every PC owner (we're talking hundreds of millions and soon billions) diligently backs up their key and keeps it safe
It would just go to a disk file. We were assuming the computer crashed and the disk was OK. If the disk is dead, your data is lost anyway. But if the disk is OK you can get the backed-up key data from a disk file.
Wouldn't this imply that if the hardware vender died and sold off all of its IP (to help pay off those debts) that if your hardware died, your data would in-effect be gone forever, or you would have to illegally violate DMCA to get to it?
I suppose, but Intel is probably not going out of business any time soon. I think you have worse things to worry about than that.
So, when I do this very thing (exporting blob, sending, they reencrypt, reentering the code in a new chip, etc) when my chip has _not_ fried, means I have now two PCs that can both access the same data? So perfect protection is not guaranteed anymore. Right?
Yes, you might be able to pull a con and claim one computer was dead, cloning its key into another computer this way, so you'd have two computers that could both view the data. But it's just those two computers, you still can't put the data out on KaZaA or anything. This is a tiny security leak which the content companies don't care about.
This all assumes that the chipmaker stays in business forever, that your blob cannot become corrupted, and that the next generation chip will use the same blob format. Even if your idea works perfectly in a perfect world, how do you protect against these other drawbacks, especially if you have no CHOICE in how you store your data??
Well, these don't seem to be particularly hard assumptions. Intel probably won't go out of business, most files don't become corrupted, and they will obviously need to have some form of backwards compatibility when they come out with version 2. Keep in mind too that this is just for the "vaulted" data like DRM controlled content, it's not your whole disk. You're going to have these problems with any kind of DRM controls.
Ultimately you either need to persuade someone to give you their creative output in the clear, or else accept that they're only going to give it to you in some encrypted form with restrictions. You both have free choice; they can give it out as they choose, and you can use it or not. No one is being forced to do anything here.
I can understand that people may be worried about publishing kernel patches, but careful reading of the above makes it very clear that these do not violate the DMCA, even if they inadvertantly or implicitly reveal information that could be used to defeat copyright protection. The reason is simply that this is not the primary design and purpose of the information. Rather, the information is designed to extend and improve the functionality of the Linux kernel.
Contrast this with the Sklyarov case, where the primary purpose of the information and technology he presented was to defeat copyright protection. The situations are completely different.
I can't blame Europeans for being excessively cautious with regard to American law, but they could consult with a lawyer and be reassured. My opinion is that this is really a political statement, and that they are being disingenuous in claiming to be afraid of prosecution.
I'd like to hear more about Microsoft's claim that Palladium can't be used for copy protection of software. What about the idea of sealing (encrypting) part of the program using Palladium, loading it into secure memory, decrypting it and then running it? That would seem to allow for program code to be locked to a given computer, which is the essence of copy protection.
Yet Microsoft claims that Palladium won't facilitate copy protection. Is there some specific technical reason why this scenario won't work? Or does Microsoft just mean that they don't plan to use this method at present?
If it works like TCPA, each trusted module ("Fritz chip") generates its own public/private key pair. The private key stays on the chip and never comes off. No one ever learns the private key; not Microsoft, not the chip maker, not the user who purchases the computer.
The public key gets exported, and then gets certified by some kind of CA analogous to Verisign.
How does a new media producer get their media "signed"?
Palladium doesn't do anything like this, as far as I know. What it allows is that a company could run a server that is able to check the hash of a given piece of client software that is connecting to it from a remote system. This way the server can refuse to download content unless a piece of software it trusts is running remotely.
So if you have some content to distribute, you could write a client and build the legitimate hash of that client into your server. The server would only download if the remote hash of the client software matched what was built into it.
What happens if a key is compromised?
If it were the CA key, it would be as disastrous as if the Verisign CA key were compromised; all the security of the system would be lost.
If a trusted module secret key were pulled off the chip somehow, you could build an emulator that pretended to be that chip. Your emulated PC could then download data and bypass the DRM rules or whatever other rules were supposed to be supported.
If Palladium is supposed to increase security by allowing only signed programs to execute
This is a myth! Look through this discussion and you see this misconception proposed and corrected over and over and over again.
Where are you people getting this? Why do you think Palladium only runs signed code?
That would be another good question to ask: how big is the curtained memory (or whatever they're calling it now)? It's not supposed to hold your whole program, just the "trusted agent" portion of it, so maybe it doesn't have to be that big.
You could ask for more details on how this works: does it hold more than one program at a time? Do programs swap in and out of it? What if one trusted agent went bad, could it hurt another one?
This still leaves mostly the same question, if my machine is offline. Of course, that really could be a question in and of itself.. how does the system function with a non-networked computer?
If your system is offline or un-networked, you can still use the Palladium "virtual vault" and "curtained memory". This would allow your software to create a crypto key and store some data encrypted with it, such that no other software would be able to read that data. Not even the owner of the computer could get to that data except under the rules that your software enforced. He couldn't virtualize it, he couldn't emulate it, he couldn't use a debugger or patch the software.
The reason he can't virtualize your software or run it on an emulation layer is that the data is encrypted with a key that is locked in the crypto chip. The emulator doesn't have that key and so it can't decrypt the data. The reason he can't use a debugger is because (part of) your software runs in the special memory region which is off limits to debuggers. And the reason he can't patch your software (on the disk, say) is because that changes the software hash, which the crypto chip checks when it goes to decrypt the data, to see if it matches what it was then the data was encrypted. Changing the software changes the hash; changing the hash keeps you from getting at the data.
He could still get at the data if he used some hardware hacks, like dual-ported ram or exotic techniques to extract data from the secure crypto chip. These are probably outside of the expertise of the average hacker, though.
So what does "trusted" mean here? It means that your software can manage data and behave in a predictable manner, enforcing specified rules for manipulating the data.
What kind of data recovery plans will exist if I buy $1000 dollars worth of digital music that is tied to my processor, only to have my processor get fried in a power surge? Will there be any way to recover my investment, or is it lost? If so, what's to prevent hackers from using that recovery mechanism? If not, how can this be a benefit to customers?
Microsoft hasn't said how this would work, and it is certainly a good question. But I don't agree with your implication that it is somehow an unsolvable problem or indicates that Palladium must be weak.
The related TCPA scheme did have a proposal for how to deal with this. The idea is that your crypto chip has a key in it that encrypts all this data. You can get it to export this key in a "blob" that can only be decrypted by the manufacturer. (Actually the key is exported in two parts, one in the clear and one in the blob, that have to be XOR'd together to recover the real key.)
If your crypto chip dies, you buy a new computer or motherboard with a new chip. You send the backed-up blob and the new chip identifier to the manufacturer, who decrypts the blob data and re-encrypts it for the new chip, and sends it back to you. You then enter this into the new chip, along with the other half of the key, and presto, your new chip is initialized with the same key that was in the old one. So your new computer can read the data that was locked to the old computer.
This is all done in such a way that neither you nor the manufacturer ever sees the crypto key, so the data is still protected.
Now, this is pretty cumbersome, and maybe Microsoft will come out with something better. If this is really going to be a detailed technical presentation, this would be an excellent question to ask. Just don't assume they can't answer it!
More of a basic business question, but didn't anyone learn from Intel's ill-fated processor serial number "feature" in the Pentium III, or the Div-X movie fiasco? Why would consumers want this at all, and why will they choose it over other alternatives?
The answer is obvious. Once Palladium is in widespread use, (legitimate) content will only be made available to systems that use Palladium to enforce DRM. So a consumer will want to buy a Palladium box because that is the only way that he can download the latest PPV movies, super-CD-quality audio, and other 21st century content that we haven't even thought of yet.
Microsoft benefits by providing a technology which will make the content companies feel comfortable in releasing their data in digital form. This will make PCs more valuable and sell more of them, which means more copies sold of Windows and more money in Microsoft's pocket.
I would ask this:
Will it be possible for new peripheral devices, like disk players for Super Audio CD or DVD-Audio, to use Palladium to make sure that only "authorized" (by the drive manufacturer) software can read the data from the disk drive? I.e. will the drive firmware be able to use Palladium to get an attestation on the secure hash of the running software that is trying to access the drive?
This would end unauthorized ripping of data from these new formats, which would be tremendously valuable to the content companies. It is plausible that these companies would only allow their drives to go into computers if Palladium could provide this assurance. Therefore by providing this capability, Microsoft would make PCs more attractive and useful to consumers, sell more copies of Windows, and make more money.
Microsoft has both the incentive and the technological capability to do it. But they haven't said if they will, and none of their public discussion has touched this issue. Please ask them.
what do you do when someone exploits a buffer overrun or a backdoor--or a macro in Word 95--to run arbitrary code, and disable all Palladium features
Palladium has a concept called "curtained memory". It is immune to being touched by ordinary code, you have to be in a new CPU mode which is being defined as part of the Palladium spec (some observers call it "ring -1"). Most buffer overruns and similar bugs will not escalate your privileges high enough to touch the Palladium secure area, even if you can get into (normal) kernel mode.
My understanding is that you'd have to find a bug in the OS kernel software component that runs in the curtained area, which Microsoft calls the "nub" or "Trusted Operating Root". They intend to publish this relatively small software component for review in the hopes that it can be made bug free. If so then bugs in other parts of the software will not defeat Palladium security.
I can answer these already from publicly available information.
1. Will it be possible, as a home user, to create and digitally sign a creative piece of work? Such as, a home movie?
2. What ramifications will this have on digital content created before the introduction of Palladium? Will it still play?
You seem to be under the impression that there is such a thing as "Palladium content" and that it is digitally signed. This is not true. Palladium is a technology that allows software to (A) run unmolested, (B) report its hash securely to a remote system, and (C) create encrypted data files which are locked to a hash of the software.
This means that what is special about a Palladium enabled viewer is not that it only views Palladium content, because there is no such thing. Rather, this viewer can prove its identity (its software hash) to a remote system. That way, if the viewer does enable DRM or some other policies for handling data, the remote system can check for that before downloading data.
So there is no need to digitally sign your content in order for it to play, unless someone creates a viewer that only plays such content, which they could do today independent of Palladium. And your question about old content is likewise misguided, as Palladium is fully compatible with viewers that play old content.
3. Will the information necessary to create a Palladium enabled viewer be available to public? Or will we only be able to use Windows Media Player to play Palladium enabled content? What are the projected licesing costs for a company that wishes to create a viewer that is able to view Palladium enabled content?
This is a better question. Microsoft has implied that they will publish the API to use the Palladium services just like they document all of their other OS services, but it would be good to hear them say that they will be freely available so that everyone could write their own viewers (and other software).
4. Will hardware that requires a signature be able to run content that does not have one? (if yes) Will this then mean that any software that pre-dates the hardware must be upgraded? (if no) Then how will this system differentiate between a desired, older, program, and a virus?
Again, you are thinking in terms of signed content, which is not a Palladium concept.
The only way I can see it possible to effectively implement DRM is to require computers to not play any digital content that does not have a valid encrypted signature, as provided by the various media companies, and/or Microsoft and Intel.
Microsoft has said many times that Palladium does not do this. Of course, anyone could write software which would only play content that had a signature, and that software could otherwise use some Palladium features. But this is not Palladium functionality per se.
What Palladium does is kind of the reverse: it lets the remote server check that you are running "kosher" software. A remote server could refuse to stream content to anything other than Windows Media Player, for example. Palladium would allow WMP to cryptographically prove to the remote server that it was running, and nobody could write a "fake" WMP that could fool the remote system.
Then WMP can impose whatever DRM policies it wants, and the remote server can be confident that the data it sent to you will be managed under those DRM policies.
And of course you can always decide not to download the data, if you don't care to accept the terms under which it is offered.
In this system it seems likely that it is in Microsoft's interest to keep WMP "open" and allow it to play content from as many people as possible. That makes the software more widely useful and ultimately will sell more copies of Windows.
However, it's also possible that Sony or some other content company could create their own media player software, and it might only play Sony content. Again, this would not be a Palladium feature. The only place Palladium would come in is that the Sony servers could make sure that they only downloaded their content to Sony media players.
Oh, also Palladium would allow Sony or the WMP to store their files encrypted on your disk in a really secure way, so that short of hardware hacking you probably won't be able to break the encryption.
How can user written software run on a 'trusted' system?
It's obvious, if you're familiar with the Palladium information that has been released. All software, whoever writes it, will be able to make use of Palladium features via a new API.
What are the Palladium features? Your software will be able to create a "virtual vault" that other software can't see into (an encrypted disk file locked to a hash of your software). You can have a "trusted agent" that runs in a secure memory area which is immune to being inspected or changed using debuggers, virtualizers, etc. You can get the OS to securely report a hash of your software to third parties, cryptographically signed by a key which is locked in the Palladium hardware.
The sense in which these features entitle your software to be called "trusted" is beyond the scope of this reply.
I strongly suggest that the OP read the Palladium docs that are available to familiarize himself with the system before he goes to this lecture.
An argument starts with premises, uses logic and reaches a conclusion. All I see here is the conclusion.
The whole essay is like this, a bunch of flat statements of opinion without justification or support. He keeps saying that intellectual property is a bad idea, but he never says what's wrong with it! Anyone who sees this article as well-written is looking at it from a highly partisan perspective.
What really bothers me on these issues is this: where are those who are searching for truth? Those without an axe to grind, those who are looking for accurate facts and valid arguments? It seems with 90% of the people involved, the positions they take are exactly aligned with their economic interests. They are saying exactly the same things that they would say if they were total liars and only interested in fattening their own wallets, whether as consumers or producers.
Who can claim differently? Who here is objectively interested in the truth on these complex issues, irrespective of whether it helps or hurts him economically?
What people are forgetting here is that Congress represents the people of the United States. Representatives and Senators serve at the pleasure of their constituents. If they consistently pass laws which the people of the United States hate, they will lose their jobs.
This is why the Supreme Court is hesitant to overturn such laws, because there is another check on unjust laws, namely the ballot box. It is only when Congress is overstepping its bounds in a matter where the people support them that the Court is really needed to step in. When the majority takes on too much power and infringes on the rights of the minority, the Supreme Court can act to limit these excesses.
But this does not seem to be what is happening in the case of copyright extensions. It's not like there's a powerless minority whose rights are being infringed by policies supported by the majority of the American people. Rather, these copyright extensions are technical matters that most people simply don't care about. They aren't important enough to make or break a Congressman's career.
What needs to happen is that this has to be solved in the political arena. People who think that copyright policy should be changed need to convince others of that fact, to get them interested in the dispute, to attract supporters and political power. Then they can convince Congress to change its policies.
This issue is a simply and fundamentally a matter of politics. The dispute needs to be resolved in the political arena. It may seem easier to convince 9 members of the Supreme Court than the American people. But ultimately it will be more just and more fair to effect change by convincing people, the American people, that these changes are worthwhile.
We have a representative government, but that doesn't mean that everything they do is what you personally would want. What it does mean is that you can try to convince people that your ideas are good, and if you get enough support, the government will go along. That is the proper course for political change in a representative democracy.
I've had TiVo for almost three years, and it's crazy to compare it to a VCR. They are nothing alike, the quantitative difference between what they can do is so great that it becomes qualitative.
With TiVo, TV is no longer a time-oriented medium. You don't watch shows when they're on, you watch them when you want to. The only way time matters is that a new show is only available on or after a certain time. It's more like a webcast, or a magazine-type site like The Onion. You're not required to sit there in front of your computer at 6 AM Monday every week to watch the new update of The Onion. You can watch it any time you want, it's just that you know a new one is available on a regular basis. All of TV is that way once you have TiVo.
Of course TiVo isn't the only way to get this. You can use Replay, or Microsoft's new box, or with a lot more effort you can set up a computer to do it. Any of these will give you those improvements.
But whatever you do, don't make the mistake of thinking it's a VCR. It's not, it's a device that turns TV into something that's more like a subset of the web, in that you have instant access to many, many hours of content, whatever has been updated since you viewed it last.
I was involved of getting our software package FIPS 140 certified, which is the major crypto security certification. I think there's some validity to the point that the certification house (which is sort of a gatekeeper to the actual certification) has something of a conflict of interest. We are paying them for the certification, while they are the ones who check the adequacy of our security measures. FIPS is supposed to check on their work, but that was largely a rubber stamp.
Nevertheless the certification house did do a thorough check on us and did recommend a number of changes to our software. We didn't think any of them truly added security, but at least this way it was obvious that the cert company was doing their job.
The big problem is that we got that version of the software certified, taking about eight months and several employees' time. Now a few months later we come out with a new release! We can't get re-certified every time, even though they have a shortcut for recertifications. Keeping up with the short software release cycle would be way too expensive.
So we still have FIPS 140 certification listed as a feature of our product, but if a customer really wants that specific version, we have to sell him old software. As it turns out, no one does. All they really need is to be able to check the box that says we are certified, and then they're perfectly happy to take the latest software. The mere fact that we spent the time, effort and money to be certified is what really counts.